Geeks With Blogs

News View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn
Michael Stephenson keeping your feet on premise while your heads in the cloud
 

This post will provide an overview of the planned proof of concepts we have been working on to try and get this right.  In this series of posts I intend to provide a step by step guide for setting up each of these scenarios.  Or if there is a sufficient walk through already available I will point you to that.  The proof of concepts I intend to cover are:

 

Web Services secured with Kerberos

This proof of concept aims to show we can create web services which can be secured with a Kerberos token.

 

 

 

 

Web Services using Delegation

This proof of concept aims to show we can create a web service which can delegate the clients credentials to access backend services under the context of the client.  The following diagram shows how this will look.

 

 

 

 

BizTalk Signing and Encryption with Kerberos

This proof of concept aims to show we can use the WSE Adapter to call and expose services which are secured using Kerberos.  The following diagram shows how this is intended to look.

 

 

BizTalk Credential Delegation

This proof of concept aims to show we can flow credentials through BizTalk and call back end services under the context of the calling client. The following diagram shows how this is intended to look.

 

 

 

Proof Of Concept Summary

 

In the proof of concepts we need to be able to do the following set of things:

 

  • Send a request to a WSE web service which is signed and encrypted with a KerberosToken2

 

  • Receive a response from a WSE web service which is signed as encrypted with a KerberosToken2

 

  • Use delegation and KerberosToken2 to pass credentials from a client to a WSE web service and then forward them to another WSE web service where the back end service will impersonate the client

 

  • Use delegation and KerberosToken2 to pass credentials from a client to a WSE web service and then forward to a web service secured with IIS Windows Integrated Security

 

  • Send a request to a BizTalk WSE web service which is signed and encrypted with a KerberosToken2

 

  • Receive a response from a BizTalk WSE web service which is signed as encrypted with a KerberosToken2

 

  • Use delegation and KerberosToken2 to pass credentials from a client to a BizTalk WSE web service and then route through BizTalk and finally forward them to another WSE web service where the back end service will impersonate the client

 

  • Use delegation and KerberosToken2 to pass credentials from a client to a BizTalk WSE web service and then route through BizTalk and finally forward to a web service secured with IIS Windows Integrated Security

 

  • Send a request to and get a response from a WSE Web Service using the BizTalk WSE 2 adapter to sign and encrypt a message with a KerberosToken2

 

 

 

 

Posted on Monday, February 5, 2007 9:38 PM BizTalk , .net 2 , Kerberos Adventures | Back to top


Comments on this post: Kerberos Adventures - Overview

# re: Kerberos Adventures - Overview
Requesting Gravatar...
Hi Michael,

I wonder whether "BizTalk Credential Delegation" scenarion has worked. Currently I'm tryint to achieve the similar result with identity propagation.

Client Web App => BTS 2006 R2 WCF web service => BTS 2006 R2 => SAP

Left by Dimitri on Sep 22, 2008 9:01 PM

# re: Kerberos Adventures - Overview
Requesting Gravatar...
Hi Michael,
I just upgraded to Biztalk 2010. I'm experiencing a Security-Kerberos event 7 error when Biztalk application calls an orchestration exposed as a web service. 'The digitally signed Privilege Attribute Certificated (PAC that contains the authorization information for client service account name in realm domain name could not be validated" I have checked all the IIS settings and I don't see anything that looks incorrect... Can you please advise?

Thanks
Daryl
Left by Daryl on Mar 08, 2011 7:27 AM

# re: Kerberos Adventures - Overview
Requesting Gravatar...
Hi

Dimitri - There is a great article from paolo on the biztalk cat team about this if you search for protocol translation and delegation with biztalk

Daryl - Sorry im not familiar with that error. The error sounds like something to do with validating your token. My thoughts would be:

- Is it the right service account and spn combination you have used server side

- is it wse or wcf that your using and is the policy cache or web.config right?

- does your new machine have the correct setup on the domain etc
Left by Mike on Mar 11, 2011 3:17 PM

# re: Kerberos Adventures - Overview
Requesting Gravatar...
if the string was not a valid date then i wanted to return the min date value.
Felicitaciones de Navidad 2016
Frases de Navidad 2016F GIYF IY
Left by DIPIKA on Dec 16, 2016 10:10 PM

# re: Kerberos Adventures - Overview
Requesting Gravatar...
Left by mobdro tv app for pc on May 12, 2017 7:05 PM

Your comment:
 (will show your gravatar)


Copyright © Michael Stephenson | Powered by: GeeksWithBlogs.net